From d965167334efae963a8f7622733086a4b2f883f9 Mon Sep 17 00:00:00 2001 From: Rafal Foks Date: Wed, 2 Nov 2022 10:27:27 +0100 Subject: [PATCH] Caching the OAuth tokens in Application Gateway (#15924) * add clientSecret to cache key * cache key, first approach * cache key by SHA on mTLS OAuth * invalidate mTLS token cache * fix nil pointer, doc update, secret modify * delete unnecessary files * generate client cert with incorrect ca * bump images * apply review sugestions * revert clientid --- .../metadata/serviceapi/serviceapiservice.go | 1 + .../externaltokenstrategy_test.go | 2 +- .../pkg/authorization/factory.go | 8 +-- .../pkg/authorization/factory_test.go | 15 +++--- .../pkg/authorization/mocks/OAuthClient.go | 27 +++++----- .../pkg/authorization/model.go | 1 + .../pkg/authorization/oauth/mocks/Client.go | 27 +++++----- .../pkg/authorization/oauth/oauthclient.go | 52 +++++++++++++----- .../authorization/oauth/oauthclient_test.go | 54 ++++++++++++++++--- .../pkg/authorization/oauthcertstrategy.go | 17 ++---- .../authorization/oauthcertstrategy_test.go | 20 +++---- .../pkg/authorization/oauthstrategy.go | 2 +- .../pkg/authorization/oauthstrategy_test.go | 2 +- resources/application-connector/values.yaml | 2 +- .../Makefile.test-application-gateway | 1 + .../docs/application-gateway-tests.md | 2 +- .../mtls-oauth-nagative-other-ca.yaml | 6 +-- ...ls-oauth-negative-expired-client-cert.yaml | 2 +- ...ls-oauth-negative-expired-server-cert.yaml | 6 +-- .../resources/charts/gateway-test/values.yaml | 4 +- 20 files changed, 155 insertions(+), 96 deletions(-) diff --git a/components/central-application-gateway/internal/metadata/serviceapi/serviceapiservice.go b/components/central-application-gateway/internal/metadata/serviceapi/serviceapiservice.go index 1bc4737818ed..e5aafb9c48a1 100644 --- a/components/central-application-gateway/internal/metadata/serviceapi/serviceapiservice.go +++ b/components/central-application-gateway/internal/metadata/serviceapi/serviceapiservice.go @@ -175,6 +175,7 @@ func getOAuthWithCertCredentials(secret map[string][]byte, url string) (*authori return &authorization.OAuthWithCert{ ClientID: string(secret[ClientIDKey]), + ClientSecret: string(secret[ClientSecretKey]), Certificate: secret[CertificateKey], PrivateKey: secret[PrivateKeyKey], URL: url, diff --git a/components/central-application-gateway/pkg/authorization/externaltokenstrategy_test.go b/components/central-application-gateway/pkg/authorization/externaltokenstrategy_test.go index ee4893a342fa..ea142c8a1548 100644 --- a/components/central-application-gateway/pkg/authorization/externaltokenstrategy_test.go +++ b/components/central-application-gateway/pkg/authorization/externaltokenstrategy_test.go @@ -64,7 +64,7 @@ func TestExternalAuthStrategy(t *testing.T) { t.Run("should call Invalidate method on the provided strategy", func(t *testing.T) { // given oauthClientMock := &mocks.Client{} - oauthClientMock.On("InvalidateTokenCache", "clientId", "www.example.com/token").Return("token", nil).Once() + oauthClientMock.On("InvalidateTokenCache", "clientId", "clientSecret", "www.example.com/token").Return("token", nil).Once() oauthStrategy := newOAuthStrategy(oauthClientMock, "clientId", "clientSecret", "www.example.com/token", nil) diff --git a/components/central-application-gateway/pkg/authorization/factory.go b/components/central-application-gateway/pkg/authorization/factory.go index 757abbddede9..381b10e90647 100644 --- a/components/central-application-gateway/pkg/authorization/factory.go +++ b/components/central-application-gateway/pkg/authorization/factory.go @@ -1,7 +1,6 @@ package authorization import ( - "crypto/tls" "net/http" "github.com/kyma-project/kyma/components/central-application-gateway/pkg/authorization/oauth" @@ -29,9 +28,10 @@ type StrategyFactory interface { type OAuthClient interface { // GetToken obtains OAuth token GetToken(clientID string, clientSecret string, authURL string, headers, queryParameters *map[string][]string, skipTLSVerification bool) (string, apperrors.AppError) - GetTokenMTLS(clientID, authURL string, cert tls.Certificate, headers, queryParameters *map[string][]string, skipTLSVerification bool) (string, apperrors.AppError) + GetTokenMTLS(clientID, authURL string, certificate, privateKey []byte, headers, queryParameters *map[string][]string, skipVerify bool) (string, apperrors.AppError) // InvalidateTokenCache resets internal token cache - InvalidateTokenCache(clientID string, authURL string) + InvalidateTokenCache(clientID string, clientSecret string, authURL string) + InvalidateTokenCacheMTLS(clientID, authURL string, certificate, privateKey []byte) } type authorizationStrategyFactory struct { @@ -47,7 +47,7 @@ func (asf authorizationStrategyFactory) create(c *Credentials) Strategy { if c != nil && c.OAuth != nil { return newOAuthStrategy(asf.oauthClient, c.OAuth.ClientID, c.OAuth.ClientSecret, c.OAuth.URL, c.OAuth.RequestParameters) } else if c != nil && c.OAuthWithCert != nil { - oAuthStrategy := newOAuthWithCertStrategy(asf.oauthClient, c.OAuthWithCert.ClientID, c.OAuthWithCert.Certificate, c.OAuthWithCert.PrivateKey, c.OAuthWithCert.URL, c.OAuthWithCert.RequestParameters) + oAuthStrategy := newOAuthWithCertStrategy(asf.oauthClient, c.OAuthWithCert.ClientID, c.OAuthWithCert.ClientSecret, c.OAuthWithCert.Certificate, c.OAuthWithCert.PrivateKey, c.OAuthWithCert.URL, c.OAuthWithCert.RequestParameters) return &oAuthStrategy } else if c != nil && c.BasicAuth != nil { return newBasicAuthStrategy(c.BasicAuth.Username, c.BasicAuth.Password) diff --git a/components/central-application-gateway/pkg/authorization/factory_test.go b/components/central-application-gateway/pkg/authorization/factory_test.go index 87f67d00b986..387a3bb4eac9 100644 --- a/components/central-application-gateway/pkg/authorization/factory_test.go +++ b/components/central-application-gateway/pkg/authorization/factory_test.go @@ -2,6 +2,7 @@ package authorization import ( "crypto/tls" + "github.com/kyma-project/kyma/components/central-application-gateway/pkg/authorization/testconsts" "net/http" "testing" @@ -147,19 +148,17 @@ func TestStrategyFactory(t *testing.T) { t.Run("should create oauth with cert strategy", func(t *testing.T) { // given - pair, err := tls.X509KeyPair(certificate, privateKey) - require.NoError(t, err) - oauthClientMock := &oauthMocks.Client{} - oauthClientMock.On("GetTokenMTLS", "clientId", "www.example.com/token", pair, (*map[string][]string)(nil), (*map[string][]string)(nil), false).Return("token", nil) + oauthClientMock.On("GetTokenMTLS", "clientId", "www.example.com/token", []byte(testconsts.Certificate), []byte(testconsts.PrivateKey), (*map[string][]string)(nil), (*map[string][]string)(nil), false).Return("token", nil) factory := authorizationStrategyFactory{oauthClient: oauthClientMock} credentials := &Credentials{ OAuthWithCert: &OAuthWithCert{ - ClientID: "clientId", - Certificate: certificate, - PrivateKey: privateKey, - URL: "www.example.com/token", + ClientID: "clientId", + ClientSecret: "clientSecret", + Certificate: certificate, + PrivateKey: privateKey, + URL: "www.example.com/token", }, } diff --git a/components/central-application-gateway/pkg/authorization/mocks/OAuthClient.go b/components/central-application-gateway/pkg/authorization/mocks/OAuthClient.go index 703dbdc9b9c9..827f147d0b4b 100644 --- a/components/central-application-gateway/pkg/authorization/mocks/OAuthClient.go +++ b/components/central-application-gateway/pkg/authorization/mocks/OAuthClient.go @@ -6,8 +6,6 @@ import ( apperrors "github.com/kyma-project/kyma/components/central-application-gateway/pkg/apperrors" mock "github.com/stretchr/testify/mock" - - tls "crypto/tls" ) // OAuthClient is an autogenerated mock type for the OAuthClient type @@ -38,20 +36,20 @@ func (_m *OAuthClient) GetToken(clientID string, clientSecret string, authURL st return r0, r1 } -// GetTokenMTLS provides a mock function with given fields: clientID, authURL, cert, headers, queryParameters, skipTLSVerification -func (_m *OAuthClient) GetTokenMTLS(clientID string, authURL string, cert tls.Certificate, headers *map[string][]string, queryParameters *map[string][]string, skipTLSVerification bool) (string, apperrors.AppError) { - ret := _m.Called(clientID, authURL, cert, headers, queryParameters, skipTLSVerification) +// GetTokenMTLS provides a mock function with given fields: clientID, authURL, certificate, privateKey, headers, queryParameters, skipVerify +func (_m *OAuthClient) GetTokenMTLS(clientID string, authURL string, certificate []byte, privateKey []byte, headers *map[string][]string, queryParameters *map[string][]string, skipVerify bool) (string, apperrors.AppError) { + ret := _m.Called(clientID, authURL, certificate, privateKey, headers, queryParameters, skipVerify) var r0 string - if rf, ok := ret.Get(0).(func(string, string, tls.Certificate, *map[string][]string, *map[string][]string, bool) string); ok { - r0 = rf(clientID, authURL, cert, headers, queryParameters, skipTLSVerification) + if rf, ok := ret.Get(0).(func(string, string, []byte, []byte, *map[string][]string, *map[string][]string, bool) string); ok { + r0 = rf(clientID, authURL, certificate, privateKey, headers, queryParameters, skipVerify) } else { r0 = ret.Get(0).(string) } var r1 apperrors.AppError - if rf, ok := ret.Get(1).(func(string, string, tls.Certificate, *map[string][]string, *map[string][]string, bool) apperrors.AppError); ok { - r1 = rf(clientID, authURL, cert, headers, queryParameters, skipTLSVerification) + if rf, ok := ret.Get(1).(func(string, string, []byte, []byte, *map[string][]string, *map[string][]string, bool) apperrors.AppError); ok { + r1 = rf(clientID, authURL, certificate, privateKey, headers, queryParameters, skipVerify) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(apperrors.AppError) @@ -61,9 +59,14 @@ func (_m *OAuthClient) GetTokenMTLS(clientID string, authURL string, cert tls.Ce return r0, r1 } -// InvalidateTokenCache provides a mock function with given fields: clientID, authURL -func (_m *OAuthClient) InvalidateTokenCache(clientID string, authURL string) { - _m.Called(clientID, authURL) +// InvalidateTokenCache provides a mock function with given fields: clientID, clientSecret, authURL +func (_m *OAuthClient) InvalidateTokenCache(clientID string, clientSecret string, authURL string) { + _m.Called(clientID, clientSecret, authURL) +} + +// InvalidateTokenCacheMTLS provides a mock function with given fields: clientID, authURL, certificate, privateKey +func (_m *OAuthClient) InvalidateTokenCacheMTLS(clientID string, authURL string, certificate []byte, privateKey []byte) { + _m.Called(clientID, authURL, certificate, privateKey) } type mockConstructorTestingTNewOAuthClient interface { diff --git a/components/central-application-gateway/pkg/authorization/model.go b/components/central-application-gateway/pkg/authorization/model.go index f668cd6c0593..5dda6a34a2e4 100644 --- a/components/central-application-gateway/pkg/authorization/model.go +++ b/components/central-application-gateway/pkg/authorization/model.go @@ -47,6 +47,7 @@ type CertificateGen struct { type OAuthWithCert struct { URL string ClientID string + ClientSecret string Certificate []byte PrivateKey []byte RequestParameters *RequestParameters diff --git a/components/central-application-gateway/pkg/authorization/oauth/mocks/Client.go b/components/central-application-gateway/pkg/authorization/oauth/mocks/Client.go index 5a2b9b177e95..5d97fce9fa47 100644 --- a/components/central-application-gateway/pkg/authorization/oauth/mocks/Client.go +++ b/components/central-application-gateway/pkg/authorization/oauth/mocks/Client.go @@ -5,8 +5,6 @@ package mocks import ( apperrors "github.com/kyma-project/kyma/components/central-application-gateway/pkg/apperrors" mock "github.com/stretchr/testify/mock" - - tls "crypto/tls" ) // Client is an autogenerated mock type for the Client type @@ -37,20 +35,20 @@ func (_m *Client) GetToken(clientID string, clientSecret string, authURL string, return r0, r1 } -// GetTokenMTLS provides a mock function with given fields: clientID, authURL, cert, headers, queryParameters, skipVerify -func (_m *Client) GetTokenMTLS(clientID string, authURL string, cert tls.Certificate, headers *map[string][]string, queryParameters *map[string][]string, skipVerify bool) (string, apperrors.AppError) { - ret := _m.Called(clientID, authURL, cert, headers, queryParameters, skipVerify) +// GetTokenMTLS provides a mock function with given fields: clientID, authURL, certificate, privateKey, headers, queryParameters, skipVerify +func (_m *Client) GetTokenMTLS(clientID string, authURL string, certificate []byte, privateKey []byte, headers *map[string][]string, queryParameters *map[string][]string, skipVerify bool) (string, apperrors.AppError) { + ret := _m.Called(clientID, authURL, certificate, privateKey, headers, queryParameters, skipVerify) var r0 string - if rf, ok := ret.Get(0).(func(string, string, tls.Certificate, *map[string][]string, *map[string][]string, bool) string); ok { - r0 = rf(clientID, authURL, cert, headers, queryParameters, skipVerify) + if rf, ok := ret.Get(0).(func(string, string, []byte, []byte, *map[string][]string, *map[string][]string, bool) string); ok { + r0 = rf(clientID, authURL, certificate, privateKey, headers, queryParameters, skipVerify) } else { r0 = ret.Get(0).(string) } var r1 apperrors.AppError - if rf, ok := ret.Get(1).(func(string, string, tls.Certificate, *map[string][]string, *map[string][]string, bool) apperrors.AppError); ok { - r1 = rf(clientID, authURL, cert, headers, queryParameters, skipVerify) + if rf, ok := ret.Get(1).(func(string, string, []byte, []byte, *map[string][]string, *map[string][]string, bool) apperrors.AppError); ok { + r1 = rf(clientID, authURL, certificate, privateKey, headers, queryParameters, skipVerify) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(apperrors.AppError) @@ -60,9 +58,14 @@ func (_m *Client) GetTokenMTLS(clientID string, authURL string, cert tls.Certifi return r0, r1 } -// InvalidateTokenCache provides a mock function with given fields: clientID, authURL -func (_m *Client) InvalidateTokenCache(clientID string, authURL string) { - _m.Called(clientID, authURL) +// InvalidateTokenCache provides a mock function with given fields: clientID, clientSecret, authURL +func (_m *Client) InvalidateTokenCache(clientID string, clientSecret string, authURL string) { + _m.Called(clientID, clientSecret, authURL) +} + +// InvalidateTokenCacheMTLS provides a mock function with given fields: clientID, authURL, certificate, privateKey +func (_m *Client) InvalidateTokenCacheMTLS(clientID string, authURL string, certificate []byte, privateKey []byte) { + _m.Called(clientID, authURL, certificate, privateKey) } type mockConstructorTestingTNewClient interface { diff --git a/components/central-application-gateway/pkg/authorization/oauth/oauthclient.go b/components/central-application-gateway/pkg/authorization/oauth/oauthclient.go index 4ceaea059833..0a3aa0e4215d 100644 --- a/components/central-application-gateway/pkg/authorization/oauth/oauthclient.go +++ b/components/central-application-gateway/pkg/authorization/oauth/oauthclient.go @@ -2,8 +2,11 @@ package oauth import ( "context" + "crypto/sha256" "crypto/tls" + "encoding/hex" "encoding/json" + "fmt" "io/ioutil" "net/http" "net/url" @@ -27,8 +30,9 @@ type oauthResponse struct { //go:generate mockery --name=Client type Client interface { GetToken(clientID, clientSecret, authURL string, headers, queryParameters *map[string][]string, skipVerify bool) (string, apperrors.AppError) - GetTokenMTLS(clientID, authURL string, cert tls.Certificate, headers, queryParameters *map[string][]string, skipVerify bool) (string, apperrors.AppError) - InvalidateTokenCache(clientID string, authURL string) + GetTokenMTLS(clientID, authURL string, certificate, privateKey []byte, headers, queryParameters *map[string][]string, skipVerify bool) (string, apperrors.AppError) + InvalidateTokenCache(clientID string, clientSecret string, authURL string) + InvalidateTokenCacheMTLS(clientID, authURL string, certificate, privateKey []byte) } type client struct { @@ -44,7 +48,7 @@ func NewOauthClient(timeoutDuration int, tokenCache tokencache.TokenCache) Clien } func (c *client) GetToken(clientID, clientSecret, authURL string, headers, queryParameters *map[string][]string, skipVerify bool) (string, apperrors.AppError) { - token, found := c.tokenCache.Get(c.makeOAuthTokenCacheKey(clientID, authURL)) + token, found := c.tokenCache.Get(c.makeOAuthTokenCacheKey(clientID, clientSecret, authURL)) if found { return token, nil } @@ -54,34 +58,56 @@ func (c *client) GetToken(clientID, clientSecret, authURL string, headers, query return "", err } - c.tokenCache.Add(c.makeOAuthTokenCacheKey(clientID, authURL), tokenResponse.AccessToken, tokenResponse.ExpiresIn) + c.tokenCache.Add(c.makeOAuthTokenCacheKey(clientID, clientSecret, authURL), tokenResponse.AccessToken, tokenResponse.ExpiresIn) return tokenResponse.AccessToken, nil } -func (c *client) GetTokenMTLS(clientID, authURL string, cert tls.Certificate, headers, queryParameters *map[string][]string, skipVerify bool) (string, apperrors.AppError) { - token, found := c.tokenCache.Get(c.makeOAuthTokenCacheKey(clientID, authURL)) +func (c *client) GetTokenMTLS(clientID, authURL string, certificate, privateKey []byte, headers, queryParameters *map[string][]string, skipVerify bool) (string, apperrors.AppError) { + token, found := c.tokenCache.Get(c.makeMTLSOAuthTokenCacheKey(clientID, authURL, certificate, privateKey)) if found { return token, nil } - tokenResponse, err := c.requestTokenMTLS(clientID, authURL, cert, headers, queryParameters, skipVerify) + cert, err := tls.X509KeyPair(certificate, privateKey) if err != nil { - return "", err + return "", apperrors.Internal("Failed to prepare certificate, %s", err.Error()) + } + + tokenResponse, requestError := c.requestTokenMTLS(clientID, authURL, cert, headers, queryParameters, skipVerify) + if err != nil { + return "", requestError + } + + if tokenResponse == nil { + return "", apperrors.Internal("Failed to fetch token, possible certificate problem") } - c.tokenCache.Add(c.makeOAuthTokenCacheKey(clientID, authURL), tokenResponse.AccessToken, tokenResponse.ExpiresIn) + c.tokenCache.Add(c.makeMTLSOAuthTokenCacheKey(clientID, authURL, certificate, privateKey), tokenResponse.AccessToken, tokenResponse.ExpiresIn) return tokenResponse.AccessToken, nil } -func (c *client) InvalidateTokenCache(clientID, authURL string) { - c.tokenCache.Remove(c.makeOAuthTokenCacheKey(clientID, authURL)) +func (c *client) InvalidateTokenCache(clientID, clientSecret, authURL string) { + c.tokenCache.Remove(c.makeOAuthTokenCacheKey(clientID, clientSecret, authURL)) +} + +func (c *client) InvalidateTokenCacheMTLS(clientID, authURL string, certificate, privateKey []byte) { + c.tokenCache.Remove(c.makeMTLSOAuthTokenCacheKey(clientID, authURL, certificate, privateKey)) } // to avoid case of single clientID and different endpoints for MTLS and standard oauth -func (c *client) makeOAuthTokenCacheKey(clientID, authURL string) string { - return clientID + authURL +func (c *client) makeOAuthTokenCacheKey(clientID, clientSecret, authURL string) string { + return clientID + clientSecret + authURL +} + +func (c *client) makeMTLSOAuthTokenCacheKey(clientID, authURL string, certificate, privateKey []byte) string { + certificateSha := sha256.Sum256(certificate) + keySha := sha256.Sum256(privateKey) + + hashedCertificate := hex.EncodeToString(certificateSha[:]) + hashedKey := hex.EncodeToString(keySha[:]) + return fmt.Sprintf("%v-%v-%v-%v", clientID, hashedCertificate, hashedKey, authURL) } func (c *client) requestToken(clientID, clientSecret, authURL string, headers, queryParameters *map[string][]string, skipVerify bool) (*oauthResponse, apperrors.AppError) { diff --git a/components/central-application-gateway/pkg/authorization/oauth/oauthclient_test.go b/components/central-application-gateway/pkg/authorization/oauth/oauthclient_test.go index 102ce62a0786..420df2b99823 100644 --- a/components/central-application-gateway/pkg/authorization/oauth/oauthclient_test.go +++ b/components/central-application-gateway/pkg/authorization/oauth/oauthclient_test.go @@ -3,6 +3,7 @@ package oauth import ( "encoding/base64" "encoding/json" + "github.com/kyma-project/kyma/components/central-application-gateway/pkg/apperrors" "net/http" "net/http/httptest" "strings" @@ -19,7 +20,7 @@ func TestOauthClient_GetToken(t *testing.T) { t.Run("should get token from cache if present", func(t *testing.T) { // given tokenCache := mocks.TokenCache{} - tokenCache.On("Get", "testID").Return("123456789", true) + tokenCache.On("Get", "testIDtestSecret").Return("123456789", true) oauthClient := NewOauthClient(10, &tokenCache) @@ -45,7 +46,7 @@ func TestOauthClient_GetToken(t *testing.T) { })) defer ts.Close() - tokenKey := "testID" + ts.URL + tokenKey := "testID" + "testSecret" + ts.URL tokenCache := mocks.TokenCache{} tokenCache.On("Get", tokenKey).Return("", false) @@ -77,7 +78,7 @@ func TestOauthClient_GetToken(t *testing.T) { ts.StartTLS() defer ts.Close() - tokenKey := "testID" + ts.URL + tokenKey := "testID" + "testSecret" + ts.URL tokenCache := mocks.TokenCache{} tokenCache.On("Get", tokenKey).Return("", false) @@ -115,7 +116,7 @@ func TestOauthClient_GetToken(t *testing.T) { })) defer ts.Close() - tokenKey := "testID" + ts.URL + tokenKey := "testID" + "testSecret" + ts.URL tokenCache := mocks.TokenCache{} tokenCache.On("Get", tokenKey).Return("", false) @@ -140,7 +141,7 @@ func TestOauthClient_GetToken(t *testing.T) { })) defer ts.Close() - tokenKey := "testID" + ts.URL + tokenKey := "testID" + "testSecret" + ts.URL tokenCache := mocks.TokenCache{} tokenCache.On("Get", tokenKey).Return("", false) @@ -166,7 +167,7 @@ func TestOauthClient_GetToken(t *testing.T) { })) defer ts.Close() - tokenKey := "testID" + ts.URL + tokenKey := "testID" + "testSecret" + ts.URL tokenCache := mocks.TokenCache{} tokenCache.On("Get", tokenKey).Return("", false) @@ -184,7 +185,7 @@ func TestOauthClient_GetToken(t *testing.T) { t.Run("should fail if OAuth address is incorrect", func(t *testing.T) { // given - tokenKey := "testID" + "http://some_no_existent_address.com/token" + tokenKey := "testID" + "testSecret" + "http://some_no_existent_address.com/token" tokenCache := mocks.TokenCache{} tokenCache.On("Get", tokenKey).Return("", false) @@ -209,7 +210,7 @@ func TestOauthClient_GetToken(t *testing.T) { ts.StartTLS() defer ts.Close() - tokenKey := "testID" + ts.URL + tokenKey := "testID" + "testSecret" + ts.URL tokenCache := mocks.TokenCache{} tokenCache.On("Get", tokenKey).Return("", false) @@ -226,6 +227,43 @@ func TestOauthClient_GetToken(t *testing.T) { }) } +func TestOauthClient_GetTokenMTLS(t *testing.T) { + var certSHA = "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" + var keySHA = "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" + + t.Run("should get token from cache if present", func(t *testing.T) { + // given + tokenCache := mocks.TokenCache{} + tokenCache.On("Get", "testID-"+certSHA+"-"+keySHA+"-testURL").Return("123456789", true) + + oauthClient := NewOauthClient(10, &tokenCache) + + // when + token, err := oauthClient.GetTokenMTLS("testID", "testURL", []byte("test"), []byte("test"), nil, nil, false) + + // then + require.NoError(t, err) + assert.Equal(t, "123456789", token) + tokenCache.AssertExpectations(t) + }) + + t.Run("should fail if Certificate and Private Key is not valid", func(t *testing.T) { + // given + tokenCache := mocks.TokenCache{} + tokenCache.On("Get", "testID-"+certSHA+"-"+keySHA+"-testURL").Return("", false) + + oauthClient := NewOauthClient(10, &tokenCache) + + // when + token, err := oauthClient.GetTokenMTLS("testID", "testURL", []byte("test"), []byte("test"), nil, nil, false) + + // then + assert.Error(t, err, apperrors.Internal("Failed to prepare certificate, %s", err.Error())) + assert.Equal(t, "", token) + tokenCache.AssertExpectations(t) + }) +} + func checkAccessTokenRequest(t *testing.T, r *http.Request) { err := r.ParseForm() require.NoError(t, err) diff --git a/components/central-application-gateway/pkg/authorization/oauthcertstrategy.go b/components/central-application-gateway/pkg/authorization/oauthcertstrategy.go index 42af05e0ba15..35b71dbef610 100644 --- a/components/central-application-gateway/pkg/authorization/oauthcertstrategy.go +++ b/components/central-application-gateway/pkg/authorization/oauthcertstrategy.go @@ -1,7 +1,6 @@ package authorization import ( - "crypto/tls" "fmt" "net/http" @@ -15,6 +14,7 @@ import ( type oauthWithCertStrategy struct { oauthClient OAuthClient clientId string + clientSecret string certificate []byte privateKey []byte url string @@ -22,10 +22,11 @@ type oauthWithCertStrategy struct { tokenRequestSkipVerify bool } -func newOAuthWithCertStrategy(oauthClient OAuthClient, clientId string, certificate, privateKey []byte, url string, requestParameters *RequestParameters) oauthWithCertStrategy { +func newOAuthWithCertStrategy(oauthClient OAuthClient, clientId string, clientSecret string, certificate, privateKey []byte, url string, requestParameters *RequestParameters) oauthWithCertStrategy { return oauthWithCertStrategy{ oauthClient: oauthClient, clientId: clientId, + clientSecret: clientSecret, certificate: certificate, privateKey: privateKey, url: url, @@ -35,12 +36,8 @@ func newOAuthWithCertStrategy(oauthClient OAuthClient, clientId string, certific func (o oauthWithCertStrategy) AddAuthorization(r *http.Request, _ clientcert.SetClientCertificateFunc, skipTLSVerification bool) apperrors.AppError { log.Infof("Passing skipTLSVerification=%v to GetTokenMTLS", skipTLSVerification) - cert, err := o.prepareCertificate() - if err != nil { - return apperrors.Internal("Failed to prepare certificate, %s", err.Error()) - } headers, queryParameters := o.requestParameters.unpack() - token, err := o.oauthClient.GetTokenMTLS(o.clientId, o.url, cert, headers, queryParameters, skipTLSVerification) + token, err := o.oauthClient.GetTokenMTLS(o.clientId, o.url, o.certificate, o.privateKey, headers, queryParameters, skipTLSVerification) if err != nil { log.Errorf("failed to get token : '%s'", err) return apperrors.Internal("Failed to get token: %s", err.Error()) @@ -52,9 +49,5 @@ func (o oauthWithCertStrategy) AddAuthorization(r *http.Request, _ clientcert.Se } func (o oauthWithCertStrategy) Invalidate() { - o.oauthClient.InvalidateTokenCache(o.clientId, o.url) -} - -func (o oauthWithCertStrategy) prepareCertificate() (tls.Certificate, error) { - return tls.X509KeyPair(o.certificate, o.privateKey) + o.oauthClient.InvalidateTokenCacheMTLS(o.clientId, o.url, o.certificate, o.privateKey) } diff --git a/components/central-application-gateway/pkg/authorization/oauthcertstrategy_test.go b/components/central-application-gateway/pkg/authorization/oauthcertstrategy_test.go index e5a7d236e85a..b3ea10ea1414 100644 --- a/components/central-application-gateway/pkg/authorization/oauthcertstrategy_test.go +++ b/components/central-application-gateway/pkg/authorization/oauthcertstrategy_test.go @@ -1,6 +1,7 @@ package authorization import ( + "github.com/kyma-project/kyma/components/central-application-gateway/pkg/authorization/testconsts" "net/http" "testing" @@ -18,12 +19,9 @@ func TestAuthWithCerStrategy(t *testing.T) { // given oauthClientMock := &oauthMocks.Client{} - oauthStrategy := newOAuthWithCertStrategy(oauthClientMock, "clientId", certificate, privateKey, "www.example.com/token", nil) + oauthStrategy := newOAuthWithCertStrategy(oauthClientMock, "clientId", "clientSecret", certificate, privateKey, "www.example.com/token", nil) - prepareCertificate, err := oauthStrategy.prepareCertificate() - require.NoError(t, err) - - oauthClientMock.On("GetTokenMTLS", "clientId", "www.example.com/token", prepareCertificate, (*map[string][]string)(nil), (*map[string][]string)(nil), true).Return("token", nil) + oauthClientMock.On("GetTokenMTLS", "clientId", "www.example.com/token", []byte(testconsts.Certificate), []byte(testconsts.PrivateKey), (*map[string][]string)(nil), (*map[string][]string)(nil), true).Return("token", nil) request, err := http.NewRequest("GET", "www.example.com", nil) require.NoError(t, err) @@ -40,9 +38,9 @@ func TestAuthWithCerStrategy(t *testing.T) { t.Run("should invalidate cache", func(t *testing.T) { // given oauthClientMock := &oauthMocks.Client{} - oauthClientMock.On("InvalidateTokenCache", "clientId", "www.example.com/token").Return("token", nil).Once() + oauthClientMock.On("InvalidateTokenCacheMTLS", "clientId", "www.example.com/token", certificate, privateKey).Return("token", nil).Once() - authWithCertStrategy := newOAuthWithCertStrategy(oauthClientMock, "clientId", certificate, privateKey, "www.example.com/token", nil) + authWithCertStrategy := newOAuthWithCertStrategy(oauthClientMock, "clientId", "clientSecret", certificate, privateKey, "www.example.com/token", nil) // when authWithCertStrategy.Invalidate() @@ -55,12 +53,8 @@ func TestAuthWithCerStrategy(t *testing.T) { // given oauthClientMock := &oauthMocks.Client{} - authWithCertStrategy := newOAuthWithCertStrategy(oauthClientMock, "clientId", certificate, privateKey, "www.example.com/token", nil) - - prepareCertificate, err := authWithCertStrategy.prepareCertificate() - require.NoError(t, err) - - oauthClientMock.On("GetTokenMTLS", "clientId", "www.example.com/token", prepareCertificate, (*map[string][]string)(nil), (*map[string][]string)(nil), false).Return("", apperrors.Internal("failed")).Once() + authWithCertStrategy := newOAuthWithCertStrategy(oauthClientMock, "clientId", "clientSecret", certificate, privateKey, "www.example.com/token", nil) + oauthClientMock.On("GetTokenMTLS", "clientId", "www.example.com/token", []byte(testconsts.Certificate), []byte(testconsts.PrivateKey), (*map[string][]string)(nil), (*map[string][]string)(nil), false).Return("", apperrors.Internal("failed")).Once() request, err := http.NewRequest("GET", "www.example.com", nil) require.NoError(t, err) diff --git a/components/central-application-gateway/pkg/authorization/oauthstrategy.go b/components/central-application-gateway/pkg/authorization/oauthstrategy.go index 5ac4659b0ecf..6ab1e6c67914 100644 --- a/components/central-application-gateway/pkg/authorization/oauthstrategy.go +++ b/components/central-application-gateway/pkg/authorization/oauthstrategy.go @@ -43,5 +43,5 @@ func (o oauthStrategy) AddAuthorization(r *http.Request, _ clientcert.SetClientC } func (o oauthStrategy) Invalidate() { - o.oauthClient.InvalidateTokenCache(o.clientId, o.url) + o.oauthClient.InvalidateTokenCache(o.clientId, o.clientSecret, o.url) } diff --git a/components/central-application-gateway/pkg/authorization/oauthstrategy_test.go b/components/central-application-gateway/pkg/authorization/oauthstrategy_test.go index 83281b8f1631..5bb973c10f05 100644 --- a/components/central-application-gateway/pkg/authorization/oauthstrategy_test.go +++ b/components/central-application-gateway/pkg/authorization/oauthstrategy_test.go @@ -35,7 +35,7 @@ func TestAuthStrategy(t *testing.T) { t.Run("should invalidate cache", func(t *testing.T) { // given oauthClientMock := &oauthMocks.Client{} - oauthClientMock.On("InvalidateTokenCache", "clientId", "www.example.com/token").Return("token", nil).Once() + oauthClientMock.On("InvalidateTokenCache", "clientId", "clientSecret", "www.example.com/token").Return("token", nil).Once() oauthStrategy := newOAuthStrategy(oauthClientMock, "clientId", "clientSecret", "www.example.com/token", nil) diff --git a/resources/application-connector/values.yaml b/resources/application-connector/values.yaml index f1d504cd0069..d5609424e4ef 100644 --- a/resources/application-connector/values.yaml +++ b/resources/application-connector/values.yaml @@ -35,7 +35,7 @@ global: version: "PR-15952" central_application_gateway: name: "central-application-gateway" - version: "PR-15952" + version: "PR-15924" busybox: name: "busybox" version: "1.34.1" diff --git a/tests/components/application-connector/Makefile.test-application-gateway b/tests/components/application-connector/Makefile.test-application-gateway index 40f92783e2b9..694e43c23f20 100644 --- a/tests/components/application-connector/Makefile.test-application-gateway +++ b/tests/components/application-connector/Makefile.test-application-gateway @@ -60,4 +60,5 @@ enable-sidecar-after-mtls-test: generate-certs: ./scripts/generate-self-signed-certs.sh $(APP_URL) ./resources/charts/gateway-test/charts/test/certs/positive ./scripts/generate-self-signed-certs.sh $(APP_URL) ./resources/charts/gateway-test/charts/test/certs/negative + ./scripts/generate-self-signed-certs.sh test-other-ca ./resources/charts/gateway-test/charts/test/certs/invalid-ca cp -p -R ./resources/charts/gateway-test/charts/test/certs ./resources/charts/gateway-test/charts/mock-app diff --git a/tests/components/application-connector/docs/application-gateway-tests.md b/tests/components/application-connector/docs/application-gateway-tests.md index e64516953bc3..63e26b23b450 100644 --- a/tests/components/application-connector/docs/application-gateway-tests.md +++ b/tests/components/application-connector/docs/application-gateway-tests.md @@ -194,7 +194,7 @@ To run the mock application locally, follow these steps: ```shell - docker run -p 8180:8080 -p 8190:8090 -v "$PWD/k8s/gateway-test/certs:/etc/secret-volume:ro" "$DOCKER_PUSH_REPOSITORY/mock-app:$DOCKER_TAG" + docker run -p 8180:8080 -p 8190:8090 -v "$PWD/resources/charts/gateway-test/charts/test/certs/positive:/etc/secret-volume:ro" -v "$PWD/resources/charts/gateway-test/charts/test/certs/negative:/etc/expired-server-cert-volume:ro" "$DOCKER_PUSH_REPOSITORY/mock-app:$DOCKER_TAG" ``` diff --git a/tests/components/application-connector/resources/charts/gateway-test/charts/test/templates/applications/credentials/mtls-oauth-nagative-other-ca.yaml b/tests/components/application-connector/resources/charts/gateway-test/charts/test/templates/applications/credentials/mtls-oauth-nagative-other-ca.yaml index 9ebc518018e7..66b51b4e985a 100644 --- a/tests/components/application-connector/resources/charts/gateway-test/charts/test/templates/applications/credentials/mtls-oauth-nagative-other-ca.yaml +++ b/tests/components/application-connector/resources/charts/gateway-test/charts/test/templates/applications/credentials/mtls-oauth-nagative-other-ca.yaml @@ -6,6 +6,6 @@ metadata: type: Opaque data: {{- $files := .Files }} - crt: {{ $files.Get "certs/negative/client.crt" | b64enc }} - key: {{ $files.Get "certs/negative/client.key" | b64enc }} - clientId: {{ "someClientID1" | b64enc }} + crt: {{ $files.Get "certs/invalid-ca/client.crt" | b64enc }} + key: {{ $files.Get "certs/invalid-ca/client.key" | b64enc }} + clientId: {{ "clientID" | b64enc }} diff --git a/tests/components/application-connector/resources/charts/gateway-test/charts/test/templates/applications/credentials/mtls-oauth-negative-expired-client-cert.yaml b/tests/components/application-connector/resources/charts/gateway-test/charts/test/templates/applications/credentials/mtls-oauth-negative-expired-client-cert.yaml index 37db5024c76d..b890d9486314 100644 --- a/tests/components/application-connector/resources/charts/gateway-test/charts/test/templates/applications/credentials/mtls-oauth-negative-expired-client-cert.yaml +++ b/tests/components/application-connector/resources/charts/gateway-test/charts/test/templates/applications/credentials/mtls-oauth-negative-expired-client-cert.yaml @@ -7,4 +7,4 @@ type: Opaque data: crt: bm90QmVmb3JlPUF1ZyAgMSAwMDowMDowMCAyMDIyIEdNVApub3RBZnRlcj1BdWcgIDIgMDA6MDA6MDAgMjAyMiBHTVQKLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURkakNDQWw2Z0F3SUJBZ0lVZldyTzlHRG1rR0FCRktMdzYvL0tVcDdYMnE0d0RRWUpLb1pJaHZjTkFRRUwKQlFBd1dURUxNQWtHQTFVRUJoTUNVRXd4Q2pBSUJnTlZCQWdNQVVFeEREQUtCZ05WQkFvTUExTkJVREV3TUM0RwpBMVVFQXd3bmJXOWpheTFoY0hCc2FXTmhkR2x2Ymk1MFpYTjBMbk4yWXk1amJIVnpkR1Z5TG14dlkyRnNNQjRYCkRUSXlNRGd3TVRBd01EQXdNRm9YRFRJeU1EZ3dNakF3TURBd01Gb3dXVEVMTUFrR0ExVUVCaE1DVUV3eENqQUkKQmdOVkJBZ01BVUV4RERBS0JnTlZCQW9NQTFOQlVERXdNQzRHQTFVRUF3d25iVzlqYXkxaGNIQnNhV05oZEdsdgpiaTUwWlhOMExuTjJZeTVqYkhWemRHVnlMbXh2WTJGc01JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBCk1JSUJDZ0tDQVFFQTZSMU1VeVRTT2FyNGtPTUdMV1BWZUU4WXkwRTRlcGV3NS9aL2ZZNlQ5d1BWYUdSTE9RSEYKLzhCVjVEeHhGLzN0K0Y0S21tSHJ6TjlyUDN5T3VnVnY4bEhlek9VeFhmZWFrN0hMR2VGV3k5TGxmc3BtODhJMwpxR3BHM2FaUUhZS0VGRk1IUDREcGdkM3JUUVlhNVFnMDRNZDZuZjk1SFY1YzJtTlErb2pqUWt0cWROSUpPb2p5Clk4WjdlaWMyRURtMWxqYkdCTFZESEY1aUY3QjQ1bXp0OTgzZElaeC81TW9OMnpjdlF5OU9GMlkvcm1EL284QkQKd3llR2xvejVqTHNGRUJqbWdBSWFrSXBiVkZqekk4Tlp3cW0wOTZSM2JuZCtJdml3eS96YkRxYlNxQ2Qvdi9qRApIT0x2M0pIRXNLL0VxNng0VGZhL1lqTFozbjRrNmhCVHVRSURBUUFCb3pZd05EQXlCZ05WSFJFRUt6QXBnaWR0CmIyTnJMV0Z3Y0d4cFkyRjBhVzl1TG5SbGMzUXVjM1pqTG1Oc2RYTjBaWEl1Ykc5allXd3dEUVlKS29aSWh2Y04KQVFFTEJRQURnZ0VCQUxpMVI2MjhpOXZXWkkrNnJKZHN4MEhtZUZLUGNVenV3R1ptU2t2TC9rTHliOUE3b2V6SQpPbkRLL0EzOFpGcmpzTE9YQWRJZkxXS0laMkh5b21FNG9HMldNL3phN1BCWDc4dXpycWw5bFR2eWtQOFRkdm5qCkpTN2l4cWZucW1UNDdLVHFOSjRleXMzd2NOU29kTHlydWNDUWlLeUllMEFUQ3RUSUY2WnNGR3Q2WkN0WS84czYKQTJ0Rk92dmhTWm01UytsZGVEQ3FMajJMOW1oZEY0RzlMRmJ5Q2pTbVNDWEFSbDVpanBjb2pEWEVDRTdobTk5YwpnbU1scjE2Uzh1Nm5mWEVRdXFwTys4MU4xTEVpTzVyUzRwUGxBdGgyVk5YOXc0WHBmbEM1VDA0bzA5S21HYzhLCjhVTjB1YXJpRGx2NW93SEZlWVRsZkZ6eGhUUDJBOWFPL3U4PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBNlIxTVV5VFNPYXI0a09NR0xXUFZlRThZeTBFNGVwZXc1L1ovZlk2VDl3UFZhR1JMCk9RSEYvOEJWNUR4eEYvM3QrRjRLbW1IcnpOOXJQM3lPdWdWdjhsSGV6T1V4WGZlYWs3SExHZUZXeTlMbGZzcG0KODhJM3FHcEczYVpRSFlLRUZGTUhQNERwZ2QzclRRWWE1UWcwNE1kNm5mOTVIVjVjMm1OUStvampRa3RxZE5JSgpPb2p5WThaN2VpYzJFRG0xbGpiR0JMVkRIRjVpRjdCNDVtenQ5ODNkSVp4LzVNb04yemN2UXk5T0YyWS9ybUQvCm84QkR3eWVHbG96NWpMc0ZFQmptZ0FJYWtJcGJWRmp6SThOWndxbTA5NlIzYm5kK0l2aXd5L3piRHFiU3FDZC8Kdi9qREhPTHYzSkhFc0svRXE2eDRUZmEvWWpMWjNuNGs2aEJUdVFJREFRQUJBb0lCQUhWalJZNFEyclFqZm13bgpobkxROVN4U1dGL3lCZWpsL2pXeEVWNCtzQkFScENPZmJhblZWTW1ISnpsNW5sSEFrMWNndENJdDhUb0h2OUFHCmZ6RDVqL2ZzZGsramtvcUpKeFA4MGhQRVA1c0FKb1VFazNkb2MvS2hJZkozejV3c255cEU3VDl6UVNNZWgyRVEKRS9jRmZPczhTR2pMdjBla3Z3bFNQZk1MZjdWZm9vK2h6K2krUW5jMXFRR2lPVW90Tk11WmoxcU85Mm5Ib2toMApxcWRRWlFOa1pUQm1sd2Y0bGNpeVJsTVUwRHJJNmd1bDNRazNpd2hueU1Kb2h4dVJxT3RSNzJjTS9SVFpsMHdWClh4WmJ5VkM1R2dhRUR0aUtFaE9xdmpPN2N4WU9BU3U3aGVDbWRnRFdMMGFSVjE1ai9Sb0twRUtkeWt0SHFrRjQKcWVLZndBa0NnWUVBL2pKaHBqSWh5N09Vajh1cW1scHE4L0tyRG5zUG1FK0VqbzFxOWdiTDByRVZSaktMNHpLaAp2SDdrdHJjQUkrMkpaS0hlSDVmVUJSMVYxK3R5WXM5OHUwOFpHSmQ0TFdjNjFFUTQvbEtFVUhaUU41TnpJOHprCmhWbjBhNWZOQjlLMDQ4aU1XQTh6ZlgyQ2JvWWltT0V3ZC9BZUtwdzZjN0E0UXU5RVRGckNhMGNDZ1lFQTZzU2gKb2V4U0pxbE9RMjk1VjlVWWtNTkkrNkR1ZGNoSUZkamY2bUp2NEo1aGhQSmJDY1doZkZjdnZmNkQ0SzBDei8rVwpybmhreWNlU1dDRHNuN3laN1VBbHAwVXp2bk1IYXBqUXUwN3JpcGI0UGExdlE2MkxRYWhTWnFJZmkxeFVqQ1NmCm1GcDJZSXVRV2FWOWFlYUdmSnY0anRnZUJ6VUxFYngwMGdpb3lQOENnWUVBOUR5Q09JWm9sR2xxYjdOWHExRCsKL0grSVBiU2Q2bEZVNHdjYjQySHFTdmtjb01NR1Iza3BqNHc0d3hvWUIyMC9Hckt3VXBpMS9XZ1BTQlFRWnNKSApiVTExcG53NjJ4MFptRVFvb3F1ME4vOUYyZkJScSs4OURxZTh3ZmdyNXIxY1VwUXB6SjVtY2NlN0graS9xemFMCk5HSkJDZDNzQjZZa21LTitjd0t0VlJjQ2dZQkRKaFM1RkxmMm1PeHF1Mkt3cmFIR0hpVXMyNzM0OEYwMTZuODUKTWdpZjdZMGxFcERaZmE2UHV2eEwwcFZ6Mk9oNkI3ZllsVlQycGQrRTEzMzJ2bUlraXZsNkc0QU9WQ1psNWVtbAorWS9EWnlUL3R6Q2c0ZTEzelNZc2R1aWcycnJRRHRXYkpSekF4b3AyS2JCeWJ0NCttL24vR1crVlRpV3BZQWJsCjRGWXVqd0tCZ1FDT3VUenVZS1QrVHZuU3hDVWdZbUN3SWs5MlVxUHJCS3J5UE1sekxMdFBaMlF3UjNpRGlWTzEKUlpxNGtkc1NzU05SNUJKUzlrVW92dUpubG1hb0ZBM2NLZXhRdk9mcmFVdXNGcXVHb3NWR3hrSGo3S24ydnFadQppK0NDNTZPNHRRMnNhOXZ6MFNpTWZoMzdFRlh6eUFVODNpWGY2aTB0MGlzb0cvYmFpTlNDZ2c9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= - clientId: {{ "someClientID2" | b64enc }} \ No newline at end of file + clientId: {{ "clientID" | b64enc }} \ No newline at end of file diff --git a/tests/components/application-connector/resources/charts/gateway-test/charts/test/templates/applications/credentials/mtls-oauth-negative-expired-server-cert.yaml b/tests/components/application-connector/resources/charts/gateway-test/charts/test/templates/applications/credentials/mtls-oauth-negative-expired-server-cert.yaml index 1af713b8ce74..545249994f82 100644 --- a/tests/components/application-connector/resources/charts/gateway-test/charts/test/templates/applications/credentials/mtls-oauth-negative-expired-server-cert.yaml +++ b/tests/components/application-connector/resources/charts/gateway-test/charts/test/templates/applications/credentials/mtls-oauth-negative-expired-server-cert.yaml @@ -5,6 +5,6 @@ metadata: namespace: kyma-integration type: Opaque data: - crt: bm90QmVmb3JlPUF1ZyAgMSAwMDowMDowMCAyMDIyIEdNVApub3RBZnRlcj1EZWMgMTcgMDA6MDA6MDAgMjA0OSBHTVQKLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURkakNDQWw2Z0F3SUJBZ0lVWnVOZ3FCQTdSUEs4bStSSnhuaXRTS21xZFdjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1dURUxNQWtHQTFVRUJoTUNVRXd4Q2pBSUJnTlZCQWdNQVVFeEREQUtCZ05WQkFvTUExTkJVREV3TUM0RwpBMVVFQXd3bmJXOWpheTFoY0hCc2FXTmhkR2x2Ymk1MFpYTjBMbk4yWXk1amJIVnpkR1Z5TG14dlkyRnNNQjRYCkRUSXlNRGd3TVRBd01EQXdNRm9YRFRRNU1USXhOekF3TURBd01Gb3dXVEVMTUFrR0ExVUVCaE1DVUV3eENqQUkKQmdOVkJBZ01BVUV4RERBS0JnTlZCQW9NQTFOQlVERXdNQzRHQTFVRUF3d25iVzlqYXkxaGNIQnNhV05oZEdsdgpiaTUwWlhOMExuTjJZeTVqYkhWemRHVnlMbXh2WTJGc01JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBCk1JSUJDZ0tDQVFFQTRpZHp6dFhjZG9Dd21YNm9HeSt5elFjYW5iZVpmZ2xBTFlrVktUUVhrYXoyWW8wWXV3cGQKS1VhSjZEbkVUTVVneGYwb3RUWENBSU9HM1cySTZyRzc1UXBsVWZTNDVzNWQ4MVE5WGhMRm9Oa0o1ZWlzUW1paQpCSURQOC9qQ2RHSk04Z2hpa1A1bk1xQ0hRdGk1bkR3MmtINCtiZDNIVzgyWTFWWkg5Y3ArdUpDa251clMvbDArCnFSUkxndWZUY0c0VU5iaGEwWnZaNUcwMStTdnJxVXBudmVaQUdlcTlOaWlhUXhmSkFkcTdISHMrMnFDOGtEczQKUllOVFJNTUMrYXVueDV3M1g4eEUyR0oxRkdjSjNmRkszTFhsNnRXaWFBajVHNjloSnpoNG5HMzdEVy9aMEF0UgovM3B2UnB2K0k1WCtTUWZUVHBqQzBGbld6Z1JrZ2hucWV3SURBUUFCb3pZd05EQXlCZ05WSFJFRUt6QXBnaWR0CmIyTnJMV0Z3Y0d4cFkyRjBhVzl1TG5SbGMzUXVjM1pqTG1Oc2RYTjBaWEl1Ykc5allXd3dEUVlKS29aSWh2Y04KQVFFTEJRQURnZ0VCQUxQSmVJNGtGRlV4YlNVN2NtcHFjaFpWWUx0dmhYRkU4Y0YrUUZTRzhTOXZIOUVxdnlYNApNNW8wSkQzeDU3T0dnK0liVHJRQXRXVG5zbnNBbGk4d3FMQTJVYlZZTThOM0JRSFBSNHZUMkZjRndHQmpQR3hGCmlGcDZlUGxvbTJ0bTBEVjNXbzkzdG0wWnhmRXpQYXlHOHJhc0puc3psT0hVOEtqT2ppOUtjN0F4WXBhODh4MDIKdTN4RjNUMkhZMkExeS9NdmJpeFpwNG12YWZiTFJOOUFqUWY3QXJxNEQ5cThlS0ZhY3EwYndFaVlTK3daZG9kNQp0RDM5MktweVNPZDBFMld4dHozNTRsZmI0cEIzK2k5Z21Ma3lUbUhHZWJzMWdBUmV1TENQTW5OQThTZTdHVGNkCjA0ZlltR3pmNjVySDNqM1d2MzQ0dy81M2dtRWdrOXg0TGswPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBNGlkenp0WGNkb0N3bVg2b0d5K3l6UWNhbmJlWmZnbEFMWWtWS1RRWGthejJZbzBZCnV3cGRLVWFKNkRuRVRNVWd4ZjBvdFRYQ0FJT0czVzJJNnJHNzVRcGxVZlM0NXM1ZDgxUTlYaExGb05rSjVlaXMKUW1paUJJRFA4L2pDZEdKTThnaGlrUDVuTXFDSFF0aTVuRHcya0g0K2JkM0hXODJZMVZaSDljcCt1SkNrbnVyUwovbDArcVJSTGd1ZlRjRzRVTmJoYTBadlo1RzAxK1N2cnFVcG52ZVpBR2VxOU5paWFReGZKQWRxN0hIcysycUM4CmtEczRSWU5UUk1NQythdW54NXczWDh4RTJHSjFGR2NKM2ZGSzNMWGw2dFdpYUFqNUc2OWhKemg0bkczN0RXL1oKMEF0Ui8zcHZScHYrSTVYK1NRZlRUcGpDMEZuV3pnUmtnaG5xZXdJREFRQUJBb0lCQVFDWUFySzUzVkFocXlDSgpHL1E4eWRQaU1oczIxZGpyT2FhVXRPYXZXbDlaUUt3ZjAvMUNnNVhaRDV2VXB6ZUY3cDYzMWhGTnRFT2hlc2JsCkFTSWR0cmU0SFVPN1VjWVRCYlZxd0QyN2hOeW40QnJpR1lIbjVWSzV1aWVOTXJEcDc4VU9qb3BLTVdZR1JwYUUKWFE1dHNKOXdnaHJPV0ZzUEh1UFN5ZnIyZ0ZTckV2TEdYRUQxUVBFdUhqcllZeDBMcVJDVSt4NUhvajBkLzZyYgpOMEJjako5SHVwMDZLejN4QlBxemgyeHp1Q2kyYjdGc01vQndkTGcyNGM3bHJsZCtLb09ZdFczLzJSZUJPdXpHCk1HWjFPZlJJcERjdk9xNXlBWXZuYjcya0xJV3E2ZUxCVkx2ekFJZnBLRFBtbmVkd0p2dXVpcUZldktzQVY5eXAKSlo1NjdXeXBBb0dCQVBPbHZvT3pxRUwrN0c4RUM5TW9Vc0lOWVRMMXdYU3VUTzVvczlpc0doRzJHNlprajRWWgpPNlY4Qm1ET2tYT0NtRzNpTWY4M0NSVGs3Um5MVExiRVJJRkxzNFpnend0N2trVHVXSnlzTkRUeGZuMmFVeUlwCm9iNWFvWVozcHNiTXBIbmxNSGN2R1l4SXFVK0JzQVpnbGtOYTdSQVVwTnN5bkJWYzNpZEV5R0hmQW9HQkFPMmUKcWx1dlI4b096VC9jbzVCS1pWS05jQ2V2bHhJNmVXd1NrRDJaaGNuZU1aWFcyY3Z5NERzUWFHQWNKelJsaWpvNAo0RXFsN2VQM0VYbVZYNEtQWXlkSFpZWGZubEkwWVdrSHloR015anBueWFYUWZ2c3AyU1BpM0lKQTZCZ2htbThKCkxyMWFTcmtLaXE3bis3dmtVYitESktBSk0wZXoyc1dzTkNMMC9XTGxBb0dCQUpkcU1YTjNldUhudXRkakZGWXQKZ1FESGY5aERrZTRKUkJZRlMzOGp0Uys4bElKYmpEVzZ0cTZvM08zY2NkZnZHUHR3enRGa1NtaUp2QytEZ0RFMAoxNzNpWmJibEFzYUlET1o1bU9nRXZJMEtaeWwzZHFLTWJNLzNVdHBXRVhjS1JremFlYndYc1REVkZ5TXAzVktaClE4aW9BUnMxT1I1ZjNWQUpYcVhZd1E3UkFvR0Fid0ZvWkZ5R0ZRYkZLOGhQUU9FQVpJaGVsS3VhejVFeG1DTXoKN3hNQlJVVGZ0VGdobHYxbmN6QS9FbWNVaVkzRi9WMEVxdHJKUDIzMFkvQThKaW9HRUJ0eWVnLzFUa0hhSDg3Ygp2MGNlVWhxYVFUUWRuZ2Yyd0tVQ2puYno5aEg4cTFLRzJ6NkxHZGFxNHZyTXh3SHFqcVVkUHdZTlJybm13ZUdvCm1Zd0pzMkVDZ1lFQXROSHI2TEx6VkVIaWU3MzhZV0doYnRSUGRPWGdFMStqVTdhZGZ4RXJtckVLL0ZZdkl5dmoKVWZ1WHlrZ3ZBeWF1Q2tiS2RsRFZkd1d5K2NuTXNCSkFSbFY5a1BGK2xwaTVweUpBL2J6blF4VVJHYmZ1UHNkUQpHZmRjUUhyMjVjR0xxN3E2Z0xaRUJxS0JpMmFZc3BkcmtNQTFIY0txNDhmVUNtNmZyMGVyelVzPQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= - clientId: {{ "someClientID3" | b64enc }} \ No newline at end of file + crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQwRENDQXJpZ0F3SUJBZ0lVSkV2L3RtUndLOXRzdWhpQVlaT2Q4NjN1UHlBd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pqRUxNQWtHQTFVRUJoTUNVRXd4Q2pBSUJnTlZCQWdNQVVFeEREQUtCZ05WQkFvTUExTkJVREU5TURzRwpBMVVFQXd3MGJXOWpheTFoY0hCc2FXTmhkR2x2Ymk1MFpYTjBMbk4yWXk1amJIVnpkR1Z5TG14dlkyRnNkR1Z6CmRDMXZkR2hsY2kxallUQWVGdzB5TWpBeE1ERXdPVEV3TVRCYUZ3MHlNakF4TURJd09URXdNVEJhTUdZeEN6QUoKQmdOVkJBWVRBbEJNTVFvd0NBWURWUVFJREFGQk1Rd3dDZ1lEVlFRS0RBTlRRVkF4UFRBN0JnTlZCQU1NTkcxdgpZMnN0WVhCd2JHbGpZWFJwYjI0dWRHVnpkQzV6ZG1NdVkyeDFjM1JsY2k1c2IyTmhiSFJsYzNRdGIzUm9aWEl0ClkyRXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFERzFDaHE2WmI3eUdaS0ZwUmgKV01sUDh6L0NtZEFZbktpRkxKNVhpMFlXakpZZXlUSUdXRWM4bm5SK1VOalZKejZjN0w5cCs4bFEvK1ZGZUpmRwpmYTM4WnhHQVZxNitpcXdJOVpwSTd2SlVZRnd0SDJLQXA5cDdZRHdOVllUbXZEb3lyTFh3L1c3c1p1Q2c3QWVBCkh5MGlBcGtBQkk1Tmg4dWFMNkk3eE8xK0dCSVhNYVkzNlFDZXpvejdvbkoyUURBVjlybVEzQndpZUtwMkNUV1QKS3ZHaVBac04rTlVLbndjdVoxbThpUHQxYmozaGsvS3p1MGxvR2RVaXJiOFFUNkFzRnJ2ZzdGNFBYVmFsb1FSNwpJMy9paWpxZFBERmlEOHVwOXltdE9ja2tjQlorSmhqVDI4OTZxcFIzQVJVaGl0dXhreENpMUZHeEd1YlJNREFpCitmcExBZ01CQUFHamRqQjBNRElHQTFVZEVRUXJNQ21DSjIxdlkyc3RZWEJ3YkdsallYUnBiMjR1ZEdWemRDNXoKZG1NdVkyeDFjM1JsY2k1c2IyTmhiREFkQmdOVkhRNEVGZ1FVY25wWGg2b2xoei9tV01LTE1sVTR1Z0gxRUpNdwpId1lEVlIwakJCZ3dGb0FVMzRJa3V5V2NoVlN2ZXlNQXZmdDZOdE1JZkdVd0RRWUpLb1pJaHZjTkFRRUxCUUFECmdnRUJBQmNvYmVNSmkrQVZ1MGZtY0szYzM1RXhQU0pZTWlOYms1VXU0QmgzUlloY0tJeFFyUjY4T1FYT3ZzMEkKVVNaYmRkRjhrQU1KOFpwTGJWQmJnZ2NmUktrVUxPYko3TklyTEF2UmR6cVVzeThMc0VMZUM5cVlVM0E0TUFEWApHWU8zZjlWbnFIelpmRFNMTjFzOGoyK1JQU0hGL3lZbGxETWhCbkVJa1NwdXdWbXprMGFoZEtXRmthcG1xbEZMCkRSZ2JsTThMMVZTbGpXb3hGYUdLNUZFQ2dGZzJIcHJDc2o3SHl0TFR0KzEwc1F5ZU9vVktUVU9lNjhWeFlzR2kKbXd3bnhzTGtHdkdGWTNaVU9JQk5BY0ovdlJLSER4R1pPS29QblIrRmlodkJvZkR1RlBzbnRSTnBIRncrNVJsUQpjL1lUdThmQ1U4QnRpeGwvYkRxdTZUWmtyazg9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= + key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRREcxQ2hxNlpiN3lHWksKRnBSaFdNbFA4ei9DbWRBWW5LaUZMSjVYaTBZV2pKWWV5VElHV0VjOG5uUitVTmpWSno2YzdMOXArOGxRLytWRgplSmZHZmEzOFp4R0FWcTYraXF3STlacEk3dkpVWUZ3dEgyS0FwOXA3WUR3TlZZVG12RG95ckxYdy9XN3NadUNnCjdBZUFIeTBpQXBrQUJJNU5oOHVhTDZJN3hPMStHQklYTWFZMzZRQ2V6b3o3b25KMlFEQVY5cm1RM0J3aWVLcDIKQ1RXVEt2R2lQWnNOK05VS253Y3VaMW04aVB0MWJqM2hrL0t6dTBsb0dkVWlyYjhRVDZBc0Zydmc3RjRQWFZhbApvUVI3STMvaWlqcWRQREZpRDh1cDl5bXRPY2trY0JaK0poalQyODk2cXBSM0FSVWhpdHV4a3hDaTFGR3hHdWJSCk1EQWkrZnBMQWdNQkFBRUNnZ0VBQlgrem1IVmFZQjlFT1BOVDZqZE81ZitudVVXUXZFV0U0WjRBeVJJSWY3SW0KcXJaTXhHRW5velVNcXJ1b3E0aDQwbFUzM0FJREtOTFM3KzlzWHloMXFkL2QyNHRLTE9uZjVTV0p2VStpY3hQeApLS3hRQ0pmYjBvS3dWbndSZjJJZ1IrdC80cWpYcXdFVFlFLzJ5eVBSbHptMEtveDF0UTQyNHM1RGNkeTU1cjFPCklNbEhPcXhFcE84YWtiY2ZacHE4cVdqMUFkU2VCRk5WdXJQaUxmQjMxN2pQd25RSkp2MU9NWWxsQXJWa1NDcisKNDlMcmk1QjRBL0UrQkh6SnhCQ1lyaC9IRCtCVlhxY3JDSDBKNEQ3TWEwVWJWMER5Vml5UWtwK2c5MGhoQ21HMwpnYVpKUmdkczJnQzI2cGRlR0E1and2Tjd3ZUYveUtsRVEwZXRib0NHS1FLQmdRREtJYUN3czVHbVZUYlRlaDJ0CnRFWmY1MWZwNVdRL1R2V1VJaWtsdHBXU1RRUHQwQWVtZFJxL1FQak5OS3YycnR0dDZIT0RHcW9iSnFVTENjaGYKbEU1cmc0N09EYnV5OHVPWmtVOEYyMTRjZDlSbnU3alNzcFd3ZkEwakpndFhiblZ2aVlXeUtjam90QVQwTXhQcgpON1VqV2dva20yQWg3amRMU2hvMFF4bkkwd0tCZ1FENzBUVzNCa2llYUdzN3IzY3hhUytvd1VoaUdMTnEyajN4Ckd2QmtXVmx5TzM5aHlCcm5aUk92ak9HRFE4eCtxSmRTN2V6Q2xGVmpsanc2V2dra1V6U1ZQSHkrb094RjE5T3UKM00xalhCZC9PMUh6VU1WUkcvYmJxaTJZeThhb0gyRWplbzE4VE9XbWhYUnFNb045TDV4Q3RkbDRnMGxMNnBJZgpPb3FlanltZHFRS0JnUURCZjZPbXhLQS96UCtwUHhPK1AvL0d1MTZycUU5cFU1dEFiZHRhSVFuYWZpT3V1eUUzCnRvOGVXNEpTWDRQbnFNaWkxSTRRQ2F5aVJVSmw2TDJLMGh5b1M4NmZid0lxY3Q1ekdtbTl2NXkrUC9CMFJYN1AKSk9xcmduWEpHaGh0WUc3SGthME5PM2I3WGFvSVpBVkRmWmJIK3VBTzN6Y09CRSttb1krb1REd1l4UUtCZ1FEcgo4TWpRZFEzRGhuaTYwcHZ1YXV6aHhEK3EwaFFCa1B5cWxLQWFsZkVON0J0ZEpkMjNZMmcvZXRPdFp2QUsyTEg0ClhMOFNUV040VE1LZnRjNk0vM3pzTzJGeVIxczUwWkFnYmZmdkdkRldQK0Y0QmZ6ckV6V0grZnFCQ0tWWXp4WDMKNVJMK0hScXJuSzFIOTQ1bDFCOG9EalQyQ3FTNWdjNXBmak4xZnhQeUNRS0JnQzVJR2FnbldPSG9XVEpnUG95YQptY1QrMk1NUGdJMzhaL2xzM0lmd1dIc2hUbE5sQ2k2RklnMkQrUUYrZk80ZGdYZS85K0dESERvM3J5MDU2Z2VhCng4T1FYZ2dxa0lJdkxDUnZGVlVId0M3Z0MyekpHakJ1V2dYUDhsYjRDNG4yemlQd1c5M1c2RkpXMnpwMzRacSsKU29JaUNXUEh6RXF3WjgxbEJwZ1VkVTZYCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + clientId: {{ "clientID" | b64enc }} \ No newline at end of file diff --git a/tests/components/application-connector/resources/charts/gateway-test/values.yaml b/tests/components/application-connector/resources/charts/gateway-test/values.yaml index 7e2934ee99d2..e23b7b58ea83 100644 --- a/tests/components/application-connector/resources/charts/gateway-test/values.yaml +++ b/tests/components/application-connector/resources/charts/gateway-test/values.yaml @@ -5,11 +5,11 @@ global: images: gatewayTest: name: "gateway-test" - version: "v20221011-7ff00703" + version: "PR-15924" mockApplication: name: "mock-app" - version: "v20221011-7ff00703" + version: "PR-15924" serviceAccountName: "test-account" namespace: "test"